Introduction: Critical Controls for Effective Cyber Defense
To secure against cyber attacks, organizations must vigorously defend their networks and systems from a variety of internal and external threats. They must also be prepared to detect and thwart damaging follow-on attack activities inside a network that has already been compromised. Two guiding principles are: "Prevention is ideal but detection is a must" and "Offense informs defense."
The Goal of the Critical Controls
The goal of the Critical Controls is to protect critical assets, infrastructure, and information by strengthening your organization's defensive posture through continuous, automated protection and monitoring of your sensitive information technology infrastructure to reduce compromises, minimize the need for recovery efforts, and lower associated costs.
Why the Controls Work So Well: Methodology and Contributors
The strength of the Critical Controls is that they reflect the combined knowledge of actual attacks and effective defenses of experts in the many organizations that have exclusive and deep knowledge about current threats. These experts come from multiple agencies of the U.S. Department of Defense, Nuclear Laboratories of the U.S. Department of Energy, the U.S. Computer Emergency Readiness Team of the U.S. Department of Homeland Security, the United Kingdom's Centre for the Protection of Critical Infrastructure, the FBI and other law enforcement agencies, the Australian Defence Signals Directorate and government and civilian penetration testers and incident handlers. Top experts from all these organizations pooled their extensive first-hand knowledge of actual cyber attacks and developed a consensus list of the best defensive techniques to stop them. This has ensured that the Critical Controls are the most effective and specific set of technical measures available to detect, prevent, and mitigate damage from the most common and damaging of those attacks.
The Council on CyberSecurity works to ensure that updated versions of the Critical Controls incorporate the most relevant threat information and to share lessons learned by organizations implementing them1. The roster of government agencies and private organizations from around the world participating in this effort has expanded significantly, and each contributor is committed to sharing information on the latest attacks and root causes of those attacks.
Thus, the Controls are both a living document updated regularly based on changing threats as well as a solid, prioritized program for making fundamental computer security defenses a well-understood, replicable, measurable, scalable, reliable, automatable, and continuous process. The Controls deal with multiple kinds of computer attackers, including malicious internal employees and contractors, independent individual external actors, organized crime groups, terrorists, and nation-state actors, as well as mixes of these different threats.
The Controls are not limited to blocking the initial compromise of systems, but also address detecting already-compromised machines and preventing or disrupting attackers' follow-on actions. The defenses identified through these controls deal with reducing the initial attack surface by hardening security, identifying compromised machines to address long-term threats inside an organization's network, and disrupting attackers' command-and-control of implanted malicious code.
Building on Lessons Learned from Developing Cybersecurity Standards
The Critical Controls encompass and amplify efforts over the last decade to develop security standards, including the Security Content Automation Program (SCAP) sponsored by the National Institute of Standards and Technology (NIST) and the Associated Manageable Network Plan Milestones and Network Security Tasks developed by the National Security Agency (NSA). In particular, NSA's work allowed for prioritizing the controls based on whether they address operational conditions being actively targeted and exploited, combat a large number of attacks, block attacks early in the compromise cycle, and deal with an expected high impact of successful exploitation. The Controls focus on automation to provide cost efficiency, measurable results, scalability, and reliability.
The five critical tenets of an effective cyber defense system as reflected in the Critical Controls are:
- Offense informs defense: Use knowledge of actual attacks that have compromised systems to provide the foundation to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks.
- Prioritization: Invest first in controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented in your computing environment.
- Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.
- Continuous monitoring: Carry out continuous monitoring to test and validate the effectiveness of current security measures.
- Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the controls and related metrics.
How Organizations Are Applying the Controls
Dozens of early adopters of the Critical Controls have shared their experiences and lessons learned with the Consortium for Cybersecurity Action (CCA). A pattern has emerged of steps common to many organizations that have made substantial progress in reducing risk using the Critical Controls:
- Step 1. Perform Initial Gap Assessment - determining what has been implemented and where gaps remain for each control and sub-control.
- Step 2. Develop an Implementation Roadmap - selecting the specific controls (and sub-controls) to be implemented in each phase, and scheduling the phases based on business risk considerations.
- Step 3. Implement the First Phase of Controls - identifying existing tools that can be repurposed or more fully utilized, new tools to acquire, processes to be enhanced, and skills to be developed through training.
- Step 4. Integrate Controls into Operations - focusing on continuous monitoring and mitigation and weaving new processes into standard acquisition and systems management operations.
- Step 5. Report and Manage Progress against the Implementation Roadmap developed in Step 2. Then repeat Steps 3-5 in the next phase of the Roadmap.
The CCA is putting together detailed case studies that it will make available to help organizations implement each of these steps.
Structure of the Critical Controls Document
The presentation of each Critical Control in this document includes:
- Proof that the control blocks known attacks and an explanation of how attackers actively exploit the absence of this control.
- Listing of the specific actions that organizations are taking to implement, automate, and measure effectiveness of this control. The sub-controls are grouped into four categories:
- Quick wins that provide solid risk reduction without major procedural, architectural, or technical changes to an environment, or that provide such substantial and immediate risk reduction against very common attacks that most security-aware organizations prioritize these key controls.3
- Visibility and attribution measures to improve the process, architecture, and technical capabilities of organizations to monitor their networks and computer systems to detect attack attempts, locate points of entry, identify already-compromised machines, interrupt infiltrated attackers' activities, and gain information about the sources of an attack.
- Improved information security configuration and hygiene to reduce the number and magnitude of security vulnerabilities and improve the operations of networked computer systems, with a focus on protecting against poor security practices by system administrators and end-users that could give an attacker an advantage.
- Advanced sub-controls that use new technologies that provide maximum security but are harder to deploy or more expensive than commoditized security solutions.
- Associated NIST Special Publication 800-53 controls and NSA network security tasks corresponding to each Critical Control.
- Procedures and tools that enable implementation and automation.
- Metrics and tests to assess implementation status and effectiveness.
- Sample entity relationship diagrams that show components of implementation.
Description of Controls
- 1: Inventory of Authorized and Unauthorized Devices
- 2: Inventory of Authorized and Unauthorized Software
- 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- 4: Continuous Vulnerability Assessment and Remediation
- 5: Malware Defenses
- 6: Application Software Security
- 7: Wireless Access Control
- 8: Data Recovery Capability
- 9: Security Skills Assessment and Appropriate Training to Fill Gaps
- 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- 11: Limitation and Control of Network Ports, Protocols, and Services
- 12: Controlled Use of Administrative Privileges
- 13: Boundary Defense
- 14: Maintenance, Monitoring, and Analysis of Audit Logs
- 15: Controlled Access Based on the Need to Know
- 16: Account Monitoring and Control
- 17: Data Protection
- 18: Incident Response and Management
- 19: Secure Network Engineering
- 20: Penetration Tests and Red Team Exercises
This work is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
To further clarify the Creative Commons license related to the 20 Critical Controls content, (i) All persons are authorized to use the content as a framework in their organization or to sell professional services related to the content (e.g. a consulting engagement to implement the 20 Critical Controls), and (ii) sale of the contents as a framework model is not authorized. Users of the 20 Critical Controls framework are also required to refer to http://www.sans.org/critical-security-controls/ when referring to the 20 Critical Controls in order to ensure that users are employing the most up to date guidance.
Summary and Action Plan
This document has been developed through the collaboration of a diverse set of security experts. While there is no such thing as absolute protection, proper implementation of the security controls identified in this document will ensure that an organization is protecting itself against the most significant attacks. As attacks change, additional controls or tools become available, or the state of common security practice advances, this document will continue to be updated to reflect what is viewed by the collaborating authors as the most important security controls to defend against cyber attacks.
Given that these critical controls so closely track current threats and attacks, we recommend that CIOs and CISOs consider several immediate actions to ensure the effectiveness of their security programs:
- Conduct a gap assessment to compare the organization's current security stance to the detailed recommendations of the Critical Controls
- Implement the "First Five" and other "quick win" Critical Controls to address the gaps identified by the assessment over the next one or two quarters
- Assign security personnel to analyze and understand how Critical Controls beyond the quick wins can be deployed in the organization's environment
- Devise detailed plans to implement the "visibility and attribution" and "hardened configuration and improved information security hygiene" Critical Controls over the next year
- Plan for deployment of the "advanced controls" over the longer term.
- 1 This effort is led by Tony Sager, Chief Technologist of the Council on CyberSecurity, the recently retired Chief Operating Officer of the U.S. National Security Agency's (NSA) Information Assurance Directorate who previously managed the Vulnerability Analysis & Operations Group of NSA.
- 2 As reported by the Consortium for Cybersecurity Action.
- 3 Five "quick wins" delineated in Critical Controls 2, 3, and 4 (with one repeated in Control 12) are highlighted as the "First Five." They are being implemented first by the most security-aware and skilled organizations because they are the most effective means yet found to stop the wave of targeted intrusions that are doing the greatest damage to many organizations. The "First Five" cover (1) software white listing, (2) secure standard configurations, (3) application security patch installation within 48 hours, (4) system security patch installation within 48 hours, and (5) ensuring administrative privileges are not active while browsing the web or handling email. Most organizations monitor the coverage and effectiveness of these sub-controls through Continuous Monitoring and Mitigation as outlined in Critical Control 4.